Cisco Tetration - Hands-On Lab

Module03 - Agent Installation

Tetration agent (also called sensor) installation can be performed manually using a shell script for Linux and a Powershell script (.ps1) for Windows. These scripts can also be leveraged by 3rd party software configuration management systems such as Ansible, Puppet, Microsoft SCCM, etc. to automate deployment across multiple machines. The installation does not require any modification to run unattended, the scripts run without any interaction required from the administrator. It is important that the scripts be downloaded from the Tetration cluster, as they have specific information embedded to connect to the cluster. When the script is executed, it will pull down the required software from the Tetration cluster based on the Operating System in use. This means that outbound connectivity from each server to the Tetration cluster is a requirement.

In this module, we’ll download the installation scripts for Windows and Linux from the Tetration cluster and use Ansible to perform automated rollout of the sensors.

This diagram depicts how you will deploy Tetration Agents out to each of your workloads in your lab environment. Deployment will occur by performing the following tasks:

Connect to the Guac server via HTTPS
Click on and connecting to the Ansible machine
Verify and, if necessary, edit the inventory for deployment by first changing directories with cd /opt/ansible-tetration-sensor/ running sudo nano inventory/hosts and when prompted with [sudo] password for ciscolab:, entering the standard lab password of tet123$$!.

The Ansible machine is already configured to deploy agents out to the following workloads by OS:

Windows 2019
- nopCommerce IIS server
- nopCommerce MSSQL server
- Active Directory server
CentOS 7
- OpenCart Apache server
- OpenCart MySQL server
- Ansible Automation server (itself)
Ubuntu 16.04
- EKS Worker Node

Click here to view a video of demonstrating how to install Tetration sensors manually (this is for demo only - these tasks will not be performed in this module).

Click here to view a video of demonstrating how to disable firewalld and install ipsets and iptables in linux prior to sensor install (this is for demo only - these tasks will not be performed in this module).

Click here to view a video of the tasks being performed to install Tetration sensors using Ansible (tasks covered in this module).

Steps for this Module

Step 001 - Navigate to Agent Config
Step 002 - Click on Software Agent Download
Step 003 - Select the Linux Enforcement Agent
Step 004 - Save the Linux shell script
Step 005 - Select the Windows Enforcement Agent
Step 006 - Save the Windows Powershell script
Step 007 - Open a session to the Ansible machine
Step 008 - Copy the scripts to the Ansible machine
Step 009 - Examine the Ansible inventory
Step 010 - Run the Ansible playbook
Step 011 - Verify Ansible playbook results
Step 012 - Open a session to the IIS web server
Step 013 - Locate the Services console
Step 014 - Verify the Tetration services are active
Step 015 - Open a session to the Apache web server
Step 016 - Verify the Tetration services are active
Step 017 - Navigate to Software Agents
Step 018 - Verify the agents are registered

Step 001

Navigate to Agent Config.

Step 002

Select the Software Agent Download tab.

Step 003

Select the Linux platform, Enforcement Agent, and then click Download Installer.

Step 004

Save the file to the desktop and rename it to tet-linux.sh.

Step 005

Select the Windows platform, Enforcement Agent, and then Download Installer.

Step 006

Name the file tet-win.ps1 and save the file to the desktop.

Step 007

Log into the Apache Guacamole server and open a session to the Ansible machine.

Step 008

Copy the scripts from the desktop to the Ansible machine by clicking and dragging them from the desktop to the Ansible console window. A file copy dialogue should be displayed in the lower right-hand corner. Once complete, do an ls to list the directory on the Ansible machine and make sure the files are present.

Step 009

Switch to the directory containing the Ansible playbooks with the command cd /opt/ansible-tetration-sensor/ and then cd inventory to switch to the Inventory directory. Type the command cat hosts and examine the contents in the inventory file. The Linux and Windows machine IP addresses as listed in your student spreadsheet should already be populated in the [centos] section for Linux and the [win] section for Windows.

Step 010

Type cd .. to exit the Inventory directory and run the following command to execute the Ansible playbook:

ansible-playbook playbooks/clean-install-with-script.yml

Step 011

The Ansible playbook will take a few minutes to complete. When finished, you should see a PLAY RECAP section indicating the success or failure of installation on each machine.

Ignore the failure of host 10.1.0.162 in the image below, the machine was undergoing maintenance when the installation was performed.

The playbook may display an error such as the one below for the Windows machines. Ignore the error, the installation actually completed successfully but the connection from the Ansible machine was disrupted briefly by the sensor installation. We are currently investigating workarounds to avoid the error in the future.

Step 012

Open a session to the IIS Web Server.

Step 013

Click on the Search button and enter “services”, and then open up Services Control Panel.

Step 014

Scroll down and locate the WindowsAgentEngine and WindowsTetEngine services and ensure they are in Running state.

REPEAT STEPS 012-14 FOR THE MS-SQL DB SERVER AND MICROSOFT ACTIVE DIRECTORY SERVER

Step 015

Open a session to the Apache Web Server.

Step 016

Run the command ps -ef | grep tet and ensure that the tet-engine, and ensure that the tet-engine, tet-enforcer, and tet-sensor services are displayed.